As utilization of the Internet increases and the number of Web sites grows, the level of sophistication of various Internet users can be expected to become more varied. Already, many different types of Internet Web sites have large, diverse user bases. The wide array of Web sites currently accessed by this diverse set of users ranges from social networking sites, to on-line sites for facilitating financial and other transactions, to e-commerce sites for advertising and selling products and services to on-line customers.
Unsurprisingly, given the amount of information exchanged through such sites, computer hackers intent on perpetrating identity theft or obtaining confidential user information often target popular Web sites and their users. Although certain users have at least some awareness of the risks associated with such sites and at least some ability to protect themselves, other users with less innate skill or accumulated experience are more vulnerable.
A prevalent technique for illicitly obtaining confidential information, for example, is phishing. Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as a username, password, or credit card information, by posing as a trustworthy entity. Phishing is typically carried out by email or instant messaging, and often directs a user to enter confidential information at a Web site.
Current approaches that attempt to protect Web sites and their users include providing users with enhanced technology, such as stronger authentication mechanisms. While solutions such as two-factor authentication devices can reduce phishing attacks, the solutions do not necessarily eliminate them. Strong authentication technology and solutions, moreover, typically add to the cost of operating a site, cost that is ultimately borne by consumers who use the site. Such approaches also can increase the complexity confronting users.
Another approach is to restrict access to advanced functions on a Web site to those users who have formed a stronger relationship with the sponsor of the site. For example, before a user can use a particular site, the user might be required to register certain verifiable financial information at the site. A drawback of this solution is that providing such information does not guarantee that the user is any more aware of the need for security, let alone how to achieve it, but rather only that the user has certain financial resources and is willing to share information pertaining to those resources. While such an approach can offer the Web site sponsor greater protection from fraud, it does little or nothing to enhance security for users of the site.